Online and mobile payments often present a higher level of risk because a payment card may not be physically presented to a merchant. Differing transaction types, such as mobile payments or money transfers, may require more interaction between issuers, merchants, payment processing networks, and sending entities, which introduces additional risk. To reduce the risk involved with various transactions types, sending entities may be authenticated by an issuer. However, sending entity authentication may require the sending entity to be redirected between a merchant and an issuer, and may involve verification messages sent between multiple entities.
The fragmented authentication process between various entities with multiple redirections exposes the system to injection attacks, where malicious parties may pose as a valid entity to collect sensitive data, hijack a transaction, or otherwise disrupt the transaction or compromise data security. The merchant, issuer, and payment processing network may also process multiple transactions simultaneously, potentially with each other, and thus may need to clearly identify a sending entity and received messages in the context of a specific instance of an authentication process.
Thus, there is a need in the art for a token based transaction authentication system that addresses the above concerns. Embodiments of the invention address these and other problems, individually and collectively.